Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 1147 Source: MSExchangeIS

Source
Level
Description
Error <error code> while disabling rule on public folder with rule ID <rule ID>. The folder ID of the public folder is in the data section of this event.
Comments
 
- Error code: 1245 - This problem is due to a rule which is not getting disabled due to the mailbox limit. The event includes the mailbox with a problem in the rule. Identify the mailbox and see the storage limits. Either increase the storage limit to process the rule or delete the rule from the user's mailbox. This has to be done from the client side. See ME555407 for details about this problem.
- Error code: 1245 - If this event is preceded by EventID 8528 with source MSExchangeIS, see ME817225.

As per Microsoft: "This event indicates that there was a problem executing a rule on a public folder. Public Folders can have rules associated with them by using the Folder Assistant option in the properties of the Public Folder. For example, a Public Folder can have a rule where all incoming mail to that Public Folder is forwarded to a mailbox. This error can be caused if there is a problem executing the rule. Typically, this will occur if the mailbox to which this Public Folders mail is being forwarded has some limits set on it. You may observe an event 8528 that indicates that the mailbox in question has exceeded its limits". See MSEX2K3DB for more details.

See ME174045 to find out how to obtain, install, and use the CleanSweep tool. This tool enables you to delete permissions, forms, views, rules, or reply rule templates from a Microsoft Exchange Server mailbox.
From the event it appears to be caused by a rule that cannot be performed due to an error. The MSExchangeIS generates event ID 1147. The event being generated by the IS is pointing to the issue.
Cause: Rule cannot be performed due to a rule attempting to deliver to a mailbox that is over limits (receive limits). Even when the rule is deleted it will continue until all DAM's have been received by the mailbox (duration of a DAM is unknown) in question. This event occurs according to the schedule defined for storage warnings.

The solution requires multiple steps to resolve:
1. Turn up the diagnostic logging to maximum on the Information store for type rules.
2. Wait until the next time that the storage warning is triggered, 1147 will be logged along with additional warnings.
3. In these additional warnings, identify the mailbox in questions.
4. This mailbox was the one that originally applied the rule against the PF.
5. Although the rule may have been deleted, no longer visible, it will persist until the resolution is applied.

Additional Info:
1. The above noted mailbox has exceed its limits and cannot accept any new messages.
2. This result in a number of Exchange generated DAM's (Deferred Action Messages). The rule will continue to be processed even if it is deleted until all DAM's have been processed.

Resolution:
The resolution is to remove all limits from this mailbox and wait for a while until all of the DAM's have been processed (i.e. all DAM's sent to the mailbox in question give it up to 24 hours).

At this point, you should:
1. Either delete the rule (if still visible) and reset the mailbox limits.
2. Leave the rule in place and do not apply mailbox limits to the mailbox in question.
From a newsgroup post: "MS Tech Support say this error is from a messed up rule that someone created in Outlook. All you have to do is turn on logging for rules to find out who has the bad rule."

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...